Re: Debian Full Distro v Debian 'Stripped Down' for firewall?
Dave Ewart píše v Po 17. 01. 2005 v 14:19 +0000:
> On Monday, 17.01.2005 at 14:05 +0000, Robert Brockway wrote:
>
> > >4. Configure the firewall as a 'forwarding' firewall, so that it doesn't
> > >actually listen for any services of its own, with the exception of SSH
> > >from a single IP on the 'GREEN' interface.
> >
> > Best practice has it that no services are run on the firewall (except ssh)
> > to avoid someone being able to get in behind the firewall and bring it
> > down. Do compare this though to the security of letting someone _through_
> > the firewall. If you are letting people into your internal network it is
> > just asd bad unfortunately. A DMZ is needed for decent security but that
> > may not be viable in a home setup. Security is about assessing risk vs
> > the effort you want to go to (or can afford).
>
> We're doing the classic DMZ 'three-armed' network layout, nothing comes
> directly into GREEN; the DMZ will house the publically-accessible
> servers.
>
> > >Possible additional measures:
> > >
> > >5. Fine-tune kernel for routing and firewall behaviour;
> >
> > You're unlikely to stress the box enough to warrant it IMHO. Firewalling
> > is packet evaluation and passing. If you are loading the box so much that
> > you need to fine-tune it then getting a bigger box is a good plan.
>
> That's a good point ... :-)
>
> > >6. Allow firewall to use UDP on port 514 outgoing, to send syslogs to a
> > >host on the GREEN network for logging.
> >
> > I wouldn't send syslog information outside the network unencrypted if I
> > had a choice. There are ways to encrypt the data once it leaves the
> > network.
>
> Oh, yes, I agree - by GREEN I mean the local private network of course.
> My use of 'outgoing' was misleading ... :-)
>
> Thanks for your comments.
>
> Cheers,
>
> Dave.
PPTP is problematic.... I used it on 2.4.18 and 2.6.5. But with 2.6.8.1
not working me. Therefore i use OPENVPN now and it's much more better in
all way.
Reply to: